Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201209242353.54353.geissert@debian.org>
Date: Mon, 24 Sep 2012 23:53:53 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: George Argyros <argyros.george@...il.com>,
 Aggelos Kiayias <aggelos@...yias.com>,
 Vladimir Vorontsov <vladimir.vorontsov@...ec.ru>,
 gifts <gifts.antichat@...il.com>,
 Anthony Ferrara <ircmaxell@...il.com>,
 Pierre Joye <pierre.php@...il.com>
Subject: Re: Randomness Attacks Against PHP Applications

On Sunday 23 September 2012 00:14:47 Solar Designer wrote:
> > I agree too that education is important. This is something that we
> > came to an agreement with the PHP team (for example that additional
> > information is needed on the mt_rand manual). However, as pointed out
> > nothing has changed yet (the conversations between us and the PHP team
> > took place in March/April).
> 
> Did PHP 5.4's change of session IDs (vs. 5.3's) occur before or after
> your conversations with them?

If you are referring to using /dev/urandom for entropy by default, it was 
changed because of:
https://bugs.php.net/bug.php?id=51436

in 2010.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.